chore: bump yaml version for security finding (#1193)

We currently have a dependabot security finding not resolving due to a fixed yaml version in cdk8s. Finding: cdk8s-team/cdk8s-plus#1977 ``` cdk8s@2.7.56 requires yaml@2.0.0-7 cdk8s-cli@1.3.20 requires yaml@2.0.0-7 via a transitive dependency on cdk8s@1.10.54 ``` NOTE: * Looks like there are some more changes added when I run `npx projen`. * Yaml `defaultOptions` for schema was removed in an update. Recommendation is to explicitly mention the version in `parse and document`. Related PR: eemeli/yaml#346 (cherry picked from commit 3801c95) Signed-off-by: Vinayak Kukreja <78971045+vinayak-kukreja@users.noreply.github.com> # Conflicts: # .projen/tasks.json # .projenrc.js
cdk8s-team · May 15, 2023 · 38d391f · 38d391f
1 parent 490ce79
commit 38d391f
Show file tree

Hide file tree

Showing 9 changed files with 20 additions and 23 deletions.
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projen/tasks.json b/.projen/tasks.json
diff --git a/.projenrc.js b/.projenrc.js
@@ -10,7 +10,7 @@ const project = new Cdk8sTeamJsiiProject({
     'constructs',
   ],
   bundledDeps: [
-    'yaml@2.0.0-7',
+    'yaml',
     'follow-redirects',
     'fast-json-patch',
   ],
@@ -40,9 +40,6 @@ const project = new Cdk8sTeamJsiiProject({
     },
   },
   golangBranch: '1.x',
-  depsUpgradeOptions: {
-    exclude: ['yaml'],
-  },
 });
 
 // _loadurl.js is written in javascript so we need to commit it and also copy it

diff --git a/package.json b/package.json
diff --git a/src/yaml.ts b/src/yaml.ts
@@ -9,7 +9,7 @@ const MAX_DOWNLOAD_BUFFER = 10 * 1024 * 1024;
 // Set default YAML schema to 1.1. This ensures saved YAML is backward compatible with other parsers, such as PyYAML
 // It also ensures that octal numbers in the form `0775` will be parsed
 // correctly on YAML load. (see https://github.com/eemeli/yaml/issues/205)
-YAML.defaultOptions.version = '1.1';
+const yamlSchemaVersion = '1.1';
 
 /**
  * YAML utilities.
@@ -72,7 +72,9 @@ export class Yaml {
   public static load(urlOrFile: string): any[] {
     const body = loadurl(urlOrFile);
 
-    const objects = YAML.parseAllDocuments(body);
+    const objects = YAML.parseAllDocuments(body, {
+      version: yamlSchemaVersion,
+    });
     const result = new Array<any>();
 
     for (const obj of objects.map(x => x.toJSON())) {

diff --git a/test/__snapshots__/yaml.test.ts.snap b/test/__snapshots__/yaml.test.ts.snap
diff --git a/test/app.test.ts b/test/app.test.ts
@@ -44,7 +44,9 @@ test('can hook into chart synthesis with during synthYaml', () => {
   }
 
   new MyChart(app, 'Chart');
-  const manifest = YAML.parseAllDocuments(app.synthYaml());
+  const manifest = YAML.parseAllDocuments(app.synthYaml(), {
+    version: '1.1',
+  });
   expect(manifest.length).toEqual(1);
   expect(manifest[0].get('kind')).toEqual('Kind2');
 

diff --git a/test/include.test.ts b/test/include.test.ts
@@ -12,7 +12,9 @@ test('Include can be used to load from YAML', () => {
   new Include(chart, 'guestbook', { url: source });
 
   // THEN
-  const expected = yaml.parseAllDocuments(fs.readFileSync(source, 'utf-8')).map(x => x.toJSON());
+  const expected = yaml.parseAllDocuments(fs.readFileSync(source, 'utf-8'), {
+    version: '1.1',
+  }).map(x => x.toJSON());
   const actual = Testing.synth(chart);
   expect(actual).toStrictEqual(expected);
 });

diff --git a/yarn.lock b/yarn.lock